The NSA released a PDF entitled “Spotting the Adversary with Windows Event Log Monitoring” earlier this year. The good news is it’s probably one of the most detailed documents I’ve seen in a long time. Everything from setting up Event Subscriptions, to a hardened use of Windows Remote Management, including the use of authentication and firewalls, this document tells you how to securely setup an environment where you can natively consolidate and monitor event log based entries. In addition, the NSA goes onto cover a number of areas that should be monitored – complete with event IDs:
http://www.redblue.team/2015/09/spotting-adversary-with-windows-event.html
http://www.redblue.team/2015/09/spotting-adversary-with-windows-event_21.html
Event forwarding guidance: https://github.com/iadgov/Event-Forwarding-Guidance
Machine-specific issues – which can be indications of malicious activity
- Application Crashes
- System or Service Failures
- Kernel and Device Signing
- The Windows Firewall
Administrator Activity – specific actions performed that may be suspect
- Clearing of Event Logs
- Software and Service Installation
- Remote Desktop Logon
- Account Usage
The bad news is you’re still left to sort out a TON of event log detail and interpret whether the entries are a problem or not.
Additionally: Changes to Group Policy only show up in the events as a change to the policy, but lack detail on exactly what was changed within the Group Policy.
To truly have a grasp on whether you have an “adversary” within or not and, if so, what that adversary is doing, you’re going to require a solution that not only collects events, but can correlate them into something intelligent. Your solution should:
- Consolidate events
- Focus on the events you are concerned about
- Provide comprehensive detail about the changes to your systems, security and data
Three software solutions:
- Netwrix Auditor for AD
- Dell change auditor for AD
- IBM QRadar (SIEM)
- Splunk (SIEM) : Splunk Windows Auditing using the NSA guide: https://github.com/anthonygtellez/windows_auditing
MS white-paper best practices to secure AD: http://aka.ms/bpsadtrd
MS Advanced threat analytics (MS ATA): https://www.microsoft.com/en-us/server-cloud/products/advanced-threat-analytics/
Windows Event IDs useful for intrusion detection:
| Category | Event ID | Description |
|---|---|---|
| User Account Changes | 4720 | Created |
| 4722 | Enabled | |
| 4723 | User changed own password | |
| 4724 | Privileged User changed this user’s password | |
| 4725 | Disabled | |
| 4726 | Deleted | |
| 4738 | Changed | |
| 4740 | Locked out | |
| 4767 | Unlocked | |
| 4781 | Name change | |
| Domain Controller Authentication Events | 4768 | TGT was requested |
| 4771 | Kerberos pre-auth failed | |
| 4772 | TGT request failed | |
| Logon Session Events | 4624 | Successful logon |
| 4647 | User initiated logoff | |
| 4625 | Logon failure | |
| 4776 | NTLM logon failed | |
| 4778 | Remote desktop session reconnected | |
| 4779 | Remote desktop session disconnected | |
| 4800 | Workstation locked | |
| 4801 | Workstation unlocked | |
| Domain Group Policy | 4739 | Domain GPO changed |
| 5136 | GPO changed | |
| 5137 | GPO created | |
| 5141 | GPO deleted | |
| Security | 1102 | Event log cleared |
| Software and Service Installation | 6 | New Kernel Filter Driver |
| 7045 | New Windows Service | |
| 1022, 1033 | New MSI File Installed | |
| 903, 904 | New Application Installation | |
| 905, 906 | Updated Application | |
| 907, 908 | Removed Application | |
| 4688 | New Process Created | |
| 4697 | New Service Installed | |
| 4698 | New Scheduled Task | |
| External Media Detection | 43 | New Device Information |
| 400 | New Mass Storage Installation | |
| 410 | New Mass Storage Installation |
| Group Changes | Created | Changed | Deleted | Members | ||
|---|---|---|---|---|---|---|
| Added | Removed | |||||
| Security | Local | 4731 | 4737 | 4734 | 4732 | 4733 |
| Global | 4727 | 4735 | 4730 | 4728 | 4729 | |
| Universal | 4754 | 4755 | 4758 | 4756 | 4757 | |
| Distribution | Local | 4744 | 4745 | 4748 | 4746 | 4747 |
| Global | 4749 | 4750 | 4753 | 4751 | 4752 | |
| Universal | 4759 | 4760 | 4763 | 4761 | 4762 | |
